Configuring correct firewall rules with proxy
-
Hi KOM,
i tried a non transparent proxy configuration.
WPAD autodiscover isn't working; I have to give him manually the path to the pac file, but this isn't too bad for now.I'm sitll having some trouble with traffic filtering/blocking.
If I remove the "allow Lan to any" rule, I have no internet.
and then even adding the rdp rule, the rdp connection fails.if I add the "allow Lan to any" rule, Internet works just like before with my transparent proxy. Just that when I open a blocked https site (like facebook), I get an unable to connect error.
Every other page like pron or so is perfectly blocked with a reason message.:(
-
I have to give him manually the path to the pac file
Most systems are looking for wpad.dat. Proxy.pac is used by Macs I believe, and some specific apps. Best to have both since they can be identical. Make sure all your clients are set to auto-discover the proxy. Make sure you have your DNS and DHCP entries correct. It should work for almost everything with the exception of Android. I have seen some cases where Windows boxes must be set manually even when auto-detection is enabled (which is is by default on Windows).
-
Good evening,
autodiscover now works fine, but I still have the firewall problems.
I'm sitll having some trouble with traffic filtering/blocking.
If I remove the "allow Lan to any" rule, I have no internet.
and then even adding the rdp rule, the rdp connection fails.if I add the "allow Lan to any" rule, Internet works just like before with my transparent proxy. Just that when I open a blocked https site (like facebook), I get an unable to connect error.
Every other page like pron or so is perfectly blocked with a reason message. -
I've seen that before. I think that's a side-effect of using transparent proxy with squidguard and HTTPS. Blocked sites don't go to the specified error page. Works fine when you're not using transparent mode.
Firewall rules are processed top-down, first-match. By removing the Allow All from LAN rule, you're blocking everything including DNS.
-
Transparent mode is deactivated :-)
-
I have to leave for the day but post a screencap of your LAN rules so I or someone else can see what's going on.
-
Here are the FW rules (quite simple for now;) )
If for now I deactivate LAN net rule, I have no internet; which is correct, but when activating the AllowRDP rule, rdp isn't working.
and my next question would be: what rule should activate webbrowsing for my configuration?
-
Basically, create a ports alias called WebPorts, for example. Populate it with 80 and 443. Create a LAN rule just below your RDP rule that blocks WebPorts for all. Add a rule that allows TCP port 53 (DNS) for all. Delete that last allow all rule. Save & done.
-
hi,
ok, tried this, but I think something different is messed up I think. With all rules disabled, I am still able to surf the web… ??? -
Post your LAN rules screencap again.